Embed Size (px)
Citation preview
0011 0010 1010 1101 0001 0100 1011
Digital ForensicsLecture 1
Course IntroductionLegal/Policy Overview
Assignment 1
0011 0010 1010 1101 0001 0100 1011
Instructors• David Duggan
– Phone: 845-8100 (work) – Email: [email protected]– Office Hours:
• By Appointment. • After Class.
• Bob Hutchinson– Phone: 844-4131 (work) – Email: [email protected]– Office Hours:
• By Appointment. • After Class.
• Lorie Liebrock– Office: Cramer 210B – Phone: x6729 – Email: liebrock– Class Email: DF@cs (for
assignments) – Office Hours:
• Monday 2-3 pm • Thursday 3:30 - 4:30 pm • By Appointment.
0011 0010 1010 1101 0001 0100 1011
Module 1
Course Logistics
0011 0010 1010 1101 0001 0100 1011
Class information
• Lab– Cramer 228
• Textbook– "Incident Response & Computer Forensics",
2nd Ed., 2003, by K Mandia, C. Prosise, and M. Pepe
• Class web site– www.cs.nmt.edu/~DF
0011 0010 1010 1101 0001 0100 1011
Code of Conduct
• Students will be held to a professional standard
• Restrict the application of principles and tools to course objectives
• Failure to follow professional standards will result in removal from the course and a failing grade
Honor Code
0011 0010 1010 1101 0001 0100 1011
Objectives
• Students will be able to:– Describe digital forensics and relate it to an
investigative process. – Explain the legal issues of preparing for and
performing digital forensic analysis based on the investigator's position and duty.
– Perform basic digital forensics. – Demonstrate use of digital forensics tools. – Guide a digital forensics exercise. – Recognize the state of the practice and the gaps
in technology, policy, and legal issues.
0011 0010 1010 1101 0001 0100 1011
Tentative Schedule
1: Introduction to legal issues, context, and digital forensics.2-3: Media Analysis: disk structure, file systems (NTFS, EXT 2/3, HFS),
and physical layer issues. 4: Live Data Collection. 5: Analysis Techniques: keyword searches, timelines, hidden data, ... . 6: Application Analysis. 7: Network Analysis. 8: Midterm. 9: Analysis of Cell phones, PDAs, etc. 10: Binary Code Analysis (Guest lecturer: Alex Berry). 11: Evidence: collection, preservation, testimony... . 12: Legal Community Panel. 13: Research Challenges. 14: Open15-16: Project Presentations.
0011 0010 1010 1101 0001 0100 1011
Grading
• Approximate grading breakdown:– Research Projects: 40% – Topical Paper and Presentation: 10% – Lab Assignments: 20% – Quizzes: 5% – Midterm Exam: 10% – Participation / Contribution: 15%
• Straight scale
0011 0010 1010 1101 0001 0100 1011
Research Projects (40%)
• All projects are required to have a statement of work containing: a statement of the problem being addressed, a description of the proposed deliverable, the general approach, a midsemester milestone description (the milestone is due with the midterm), the team members and their roles. This statement of work must be agreed to by each team member and approved by the instructors before the project can commence. All projects must have a final report and presentation, submitted electronically before class on 28 November 2006: DF@cs. For class submissions, the subject should be your last name (or group designation) followed by the project id (e.g., "Liebrock: Lab1"). Each student in every group must fairly grade the contribution of other students in their group based on the group statement of work and the student performance. Each group (including every member) will present the results of their project in class. Each student's group projects will be evaluated in terms of group and individual performance. Late projects do not exist.
0011 0010 1010 1101 0001 0100 1011
Topical Paper and Presentation (10%)• You will research a digital forensics topic.
You will write a brief (5 pages) paper and give a short (5 minute) presentation on the topic. Late assignments do not exist.
0011 0010 1010 1101 0001 0100 1011
Lab Assignments (20%)
• Lab assignments will reinforce lecture concepts and demonstrate application of critical thinking skills. Lab assignments are to be completed in groups of two students. Late assignments do not exist.
0011 0010 1010 1101 0001 0100 1011
Quizzes: 5%
• Occasional quizzes will be used to reinforce concepts, check student comprehension, and instigate discussion. Missed quiz points can not be made up.
0011 0010 1010 1101 0001 0100 1011
Examination (10%)
• The midterm will consist of a mix of multiple choice, short answer, and short essay questions. Your goal should be to demonstrate knowledge and understanding of major course concepts.
0011 0010 1010 1101 0001 0100 1011
Participation and Contribution: 15%
• Participate in class discussions, ask questions, and contribute ideas.
• The “final exam” will be a brainstorming session focused on generating ideas to address technology gaps. Your grade in this session will be a major portion of your participation grade.
0011 0010 1010 1101 0001 0100 1011
Module 2
Digital Forensics (DF)Course Overview
0011 0010 1010 1101 0001 0100 1011
What is Digital Forensics?
• Digital forensics definition– Preservation, identification, extraction,
documentation, and interpretation of computer media for evidentiary and/or root cause analysis1
• One piece of an overall investigative process
• A method of seeking truth and establishing evidence
1 Computer Forensics: Incident Response Essentials, Kruse and Heiser
0011 0010 1010 1101 0001 0100 1011
General DF Process Model
• We will use this simplified model to relate the lectures and labs to an overall investigation
• Note the role of legal/policy in this model
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
0011 0010 1010 1101 0001 0100 1011
Topical Course Overview(1 of 3)
• What is DF? (covered)• Who used DF?
– Industry– State and local government– Federal government
• DOJ (civilian), DoD (military), Treasury, NASA
• What are the job opportunities?• What unique roles and responsibilities do
these organizations have?
0011 0010 1010 1101 0001 0100 1011
Topical Course Overview(2 of 3)
• How is DF performed?– Preparation of the system
• Legal, policy, technical, process, training, etc.• Based on role and responsibility
– Collection of data• Again, based on role and responsibility as well as
technology– Analysis of data
• Based on investigative goal, other evidence, and available tools
– Generation of findings and evidence– Reporting
0011 0010 1010 1101 0001 0100 1011
Topical Course Overview(3 of 3)
• What are the current issues?– Legal and policy drive everything else– Explosion of information technology
• Number of users• Number of data/file formats• Number of media types• Types of data networks• Size of data• Protection and hiding of data
– Unintended use of technology• E.g., use a printer as a file server
– Complexity of protocols• Convergence of services on a common transmission
media
0011 0010 1010 1101 0001 0100 1011
Module 3
Legal/Policy Overview
0011 0010 1010 1101 0001 0100 1011
Today’s Topic:Legal/Policy Overview
• Goal: Provide an understanding of the sources of law and policy and how these concepts drive permissible actions based on various roles.
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
0011 0010 1010 1101 0001 0100 1011
Legal Systems
• Public Law– Proscribe behavior society finds objectionable– Constitutional, administrative, and criminal
• Private Law– Make an injured party whole and end disputes– Contracts and torts
• Types of Legal Systems– Civil Law (codified) – based on a collection of
statutes• Louisiana
– Common Law (case law) – based on case authority
• Other 49 states
0011 0010 1010 1101 0001 0100 1011
Sources of Law
1. The U.S. Constitution2. Federal statutes and treaties3. Executive orders4. The 50 state constitutions5. State statutes6. Local ordinances7. Rulings of federal, state, and locals
agencies8. Decisions by federal and state courts
• Primary source of law
0011 0010 1010 1101 0001 0100 1011
Title 18 – Crimes and Criminal Procedure
• Part I, Chapter 47, Section 1029– Fraud and related activity with access devices
• Part I, Chapter 47, Section 1030– Fraud and related activity in connection with computers
• Part I, Chapter 65, Section 1362– Communication lines, stations, or systems…
• Part I, Chapter 119, Section 2511– Interception and disclosure of wire, oral, or electronic communications
prohibited • Part I, Chapter 121, Section 2701
– Unlawful access to stored communications• Part I, Chapter 121, Section 2702
– Disclosure of contents (service provider)• Part I, Chapter 121, Section 2703
– Requirements for governmental access
0011 0010 1010 1101 0001 0100 1011
USA Patriot Act
• Extends trap and trace to all forms of electronic communications
• Nationwide execution of court orders• Treats stored voicemail like email• Intercept communications from an electronic trespasser
(requires owner’s permission)• Adds computer crimes to Title III list• Requires financial institutions to report $10k transactions
(Suspicious Activity Report)• Encourages cooperation between law enforcement and
foreign intelligence investigators• Plus other changes…
0011 0010 1010 1101 0001 0100 1011
Digital Millennium Copyright Act (DMCA)
• Makes it illegal to circumvent copyright protection– Is binary code a copyright protection?
• Outlaws manufacture, sale, and distribution of code cracking devices– Remember DEFCON, 2001?
• Has provisions for security research and compatibility testing
• Exemptions for non-profit library and archives under certain circumstances
• Limits ISPs from liability for simply transmitting• Service providers must remove material from web sites
that “appears” to constitute copyright infringement• “Web casters” must pay license fees
0011 0010 1010 1101 0001 0100 1011
New Mexico State Laws
• N.M. Stat. §§ 30-45-3– Computer access with intent to defraud
• N.M. Stat. §§ 30-45-4– Computer abuse (damage to a computer
system)• N.M. Stat. §§ 30-45-5
– Unauthorized computer use• Other state laws:
– http://www.ncsl.org/programs/lis/cip/hacklaw.htm– http://www.onlinesecurity.com/Community_Forum/exp-table-uuc.php
0011 0010 1010 1101 0001 0100 1011
How Does Duty Vary with Role?
• Criminal investigators and law enforcement individuals must follow strict procedures to discover and preserve evidence
• Corporate employees must follow policies documented by the corporation– Investigators and regular employees
• Everyone must obey the law
0011 0010 1010 1101 0001 0100 1011
Policies Must…• Exist• Be legal
– Title 18 allows monitoring for system protection
– Legal council should be involved in formulation
• Be adequately communicated– Banners are required (case authority)
• Support your business objectives– When do you involve law enforcement?– When do you restore operations?– When do you unplug?
• Not be too specific
0011 0010 1010 1101 0001 0100 1011
Any Investigation
• Must be guided by policy• Should generally be as quiet as possible• Should be documented for your purposes• Should not be over documented• Must be objective using logic and reason
– Abduction, induction, deduction (John Stuart Mill)
0011 0010 1010 1101 0001 0100 1011
Assignment 1
Research Papers
0011 0010 1010 1101 0001 0100 1011
Research Paper Motivation
• Information technology changes too rapidly for anyone to keep pace with everything
• DF tools and techniques are changing daily as are legal and policy positions
• With this assignment, we all have a role in keeping the course material current and relevant
0011 0010 1010 1101 0001 0100 1011
Research Paper Assignment
• Choose a topic– Required topics: (all must be selected)
• we will show a list • you get the sticky tab that matches the topic you want• print your name on the sticky tab• turn in to the instructors
– Optional topics: • remaining students choose from optional topics.
– You may swap topics by both students asking an instructor for the change before class ends.
0011 0010 1010 1101 0001 0100 1011
Written Research Paper• Topic: [Media Analysis]• Executive Summary: [briefly summarize the content of
the paper]• DF Purpose: [determine if a system was involved in a
crime, the nature of that crime, the extent of the crime, the victim or perpetrator of the crime, and the links to other evidence]
• State of Practice: [there are many tools including, …, that provide capabilities including, …, some are open source, …, some are law enforcement only, …, general features include, …, some are well established in court, …, it takes an expert to use, …, non-IT individuals can easily use, …, the most advanced are, …]
0011 0010 1010 1101 0001 0100 1011
Written Research Paper (cont.)• Gaps in Technology: [None of the existing tools are able
to …, if only we could, …]• State of Research: [Purdue is working on …, Government
is working on …]• Your Ideas on What should be done now: [The problem
…, is best addressed by developing …]• Future of Practice: [With the changes predicted in
technology, …]• Future of Research: [With the changes predicted in
technology, …]• Bibliography
0011 0010 1010 1101 0001 0100 1011
Research Paper Notes
• The number following each topic is the week that the paper will be due and the topic will be presented.
• Later papers/presentations will have to be better polished.
• Work must address all roles.• Notes on topics:
– I & J have special requirements
0011 0010 1010 1101 0001 0100 1011
Required TopicsA. Collection and analysis of
network traffic (7)B. Cell phones (9)C. PDAs (9)D. Summary of past two years cases
(12)E. CD-R/RW and DVD+-R/RW
media analysis (3)F. Email analysis: client and web
(6)G. Web analysis (6)H. Timeline analysis (5)I. Digital life analysis: undergrad –
single (13)J. Digital life analysis: grad –
married with children (13)
K. Peer to peer networks (13)L. Testifying tips (12)M. Forensics certifications (11)N. Risk analysis for evidence
collection (11)O. Wireless network traffic (7)P. File encoding and detection (5)Q. File carving (3)R. Tools for live collection (4)S. Volatile data (4)T. Tools for binary analysis (10)U. Detection of malicious code
(10)
0011 0010 1010 1101 0001 0100 1011
Optional Topics1. Grid analysis (13)2. Digital cameras (9)3. IRC analysis (6)4. Large data analysis (13)5. Network devices: Routers, switches, … (7)6. Investigation of non-traditional equipment:
autos, washers, … (9)7. MP3 players (9)8. Flash media (9)9. Non-IT Parents ability to investigate their
child’s behavior (11)10. Storage area networks (7)11. Redundant array of inexpensive devices (3)12. Volatile data in routers (4)13. Volatile data in pdas (4)14. Laws – federal (12)15. Laws – state: New Mexico (12)16. Laws – state: California (12)17. Laws – international (12)18. Blacklist / whitelist analysis (5)
19. File extension renaming and signaturing(5)
20. Encryption and password recovery (5)21. Steganography detection (5)22. Microsoft office forensics (6)23. Internet explorer forensics (6)24. Mozilla / Firefox forensics (6)25. EnCase forensic toolkit (11)26. SMART forensic toolkit (11)27. Paraben forensic toolkit (11)28. Access Data forensic toolkit (11)29. Slueth Kit forensic toolkit (11)30. Behavioral analysis (10)31. Reverse engineering (10)32. Encrypted binaries (10)33. Graph analysis (5)34. Casual analysis (13)35. Data mining for digital forensics (5)36. Public computer analysis (13)37. Tools for MAC digital forensics (3)
0011 0010 1010 1101 0001 0100 1011
Questions?
After all, you are an investigator
